New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Landing Zone Failure #10
Comments
You may update the role used for cross account access in the global-config file. The property is named managementAccountAccessRole. |
Thank you so much @crissupb. It worked just fine! Now I am getting another error related to the Amazon Detective: Message returned: ServiceQuotaExceededException: ACCOUNT_VOLUME_UNKNOWN. I have searched online to figure out how this can be solved but couldn't find much info. Can you also help me with this, please? Detective is enabled by default in the security-config file. Will we face all these issues if we use Control Tower in our future deployments? Thank you! |
Hello Team, Any update on my recent inquiry? Can you please help me fix this so that we can complete our PoC? Thanks, |
Do you have GuardDuty enabled? Amazon Detective cannot be enabled until GuardDuty had been enabled and running for at least 48 hours. |
Thank you so much @crissupb . I will enable GuardDuty and try after 48 hours. Will keep you posted. |
Hello @crissupb, I am now getting a new error related to enabling AWS Budgets on the linked Accounts such as (Security, Network, and Logging). I have manually enabled Cost Explorer and waiting 24 hours to set up the budgets. But this shouldn't be part of the solution. I can see that LZA created the "accel-budget" on the master account AWS Budget ($2,000). Can't we give this solution a role to enable it on the linked accounts without having to do that by ourselves manually? I am thinking of managing 100s of accounts. Apologies for the inconvenience but we are really excited to complete this setup manually without using Control Tower to help our clients build their Landing Zones in un-supported regions. Thanks, |
@balannan - just to keep the sanity and relevance to the original post. Could you please close the issue and open new one if needed? Looks like this is a thread of multiple questions. As for your last comment, it would be more of a feature request than a bug. |
Closing as the original issue was resolved. |
Hello Team,
I hope you are doing well. I am testing AWS Landing Zone Accelerator and actually faced a lot of issues (Using AWS Organization instead of Control Tower) but I was able to fix it all. However, I am currently stuck with the Bootstrap Phase of CodePipeline. The build stage is returning:
Cannot assume role for 3600 seconds: AccessDenied: User: arn:aws:sts::ManagementAccountID:assumed-role/AWSAccelerator-PipelineSt-AdminCdkToolkitRole292E1-LNLW330962BO/AWSCodeBuild-afe03dcb-5634-43cf-852f-8d5e1e7fbf79 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::SecurityAccountID:role/AWSControlTowerExecution
Although I have disabled Control Tower in the global-config file, "controlTower: enable: false"
the Bootstrap is still assuming that the Control Tower IAM Role "AWSControlTowerExecution" is created but this is not the case for me.
The Landing Zone Accelerator documentation stated that if Control Tower is not enabled, the default Role "OrganizationAccountAccessRole" would do the job. This role is present in all my org accounts and the master account can assume these roles but still, the bootstrap is expecting the "AWSControlTowerExecution" role.
Apologies for any inconvenience and thank you so much for your support on this.
Thanks,
The text was updated successfully, but these errors were encountered: